PROG Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

PROG Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 09:25:28 EST.

Filings

10-K filed on 2024-02-21

PROG Holdings, Inc. filed an 10-K at 2024-02-21 09:25:28 EST
Accession Number: 0001808834-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cybersecurity program designed to detect, identify, classify and mitigate cybersecurity and other data security threats, as part of its efforts to protect and maintain the confidentiality and security of customer, employee and vendor information, and non-public information about the Company. This cybersecurity program is based in-part on, and its maturity is measured using, the U.S. Department of Commerce s National Institute of Standards and Technology (NIST) Cybersecurity Framework. In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats, the Company also: adopted and maintains information security and privacy policies; conducts targeted audits and penetration tests throughout the year, using both internal and external resources; engages nationally-known third party cybersecurity consultants to independently evaluate the Company’s information security maturity on a regular basis; maintains a vendor risk management program, which includes receiving the results of cybersecurity audits conducted on vendors, for a portion of our vendors, and conduct cyber related risk assessments on other vendors; provides mandatory security and privacy training and awareness to all of its employees so that employees understand the behaviors and requirements necessary to safeguard information resources at the Company; maintains cyber liability insurance; and complies with the Payment Card Industry Data Security Standard. 33 The Company has a dedicated team of employees overseeing its cybersecurity program and initiatives, led by the Company’s Chief Information Security Officer (who has over twenty years’ experience working in cyber and information security roles with large companies, including multiple senior executive positions), and works directly in consultation with internal and external advisors in connection with these efforts. Pursuant to the Company’s cybersecurity program, potential cybersecurity threats are classified by risk levels and threat mitigation efforts are typically prioritized based on those risk classifications, while focus also remains on maintaining the resiliency of the Company’s information systems. In the event the Company identifies a potential cybersecurity issue, the Company has defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, the Board of Directors, other stakeholders and law enforcement. In addition, the Company maintains an Enterprise Information Security Committee comprised of a cross-functional group of senior executives and other employees that meet on a regular basis to provide oversight with respect to the Company’s cybersecurity program and initiatives. The Company’s Board of Directors has ultimate oversight responsibility for risks relating to the Company’s cybersecurity program. In addition, the Audit Committee assists the Board of Directors in monitoring the Company’s cybersecurity investments, initiatives, key benchmarks and risk mitigation plans, and regularly makes inquiries of the Company’s management team, internal auditors and independent auditors in connection therewith. In addition, the Company’s Enterprise Risk Management Committee, which is comprised of members of the Company’s executive leadership team, is informed on a regular basis about, and monitors, the Company’s efforts and initiatives to prevent, detect, mitigate and remediate cybersecurity-related risks, and to further improve the Company’s cybersecurity maturity, including through presentations it receives from the Company’s Chief Information Security Officer. Conducting the Company’s businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in the Company’s businesses, including to help ensure the integrity of the Company’s services and to provide features and functionality to the Company s customers and POS partners. Like other companies that process a wide variety of information, the Company’s information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. For example, and as the Company previously disclosed, Progressive Leasing experienced a cybersecurity incident in September 2023, which affected certain of its systems. While there was no major operational impact to any of Progressive Leasing s services as a result of the incident, and the Company s other subsidiaries were not impacted, this incident, as well as any other breach of the Company s systems or facilities, or those of Progressive Leasing, Vive or Four, may continue to result in cybersecurity-related risks. For more information about these and other cybersecurity risks faced by the Company, see Part 1. Item 1A. “Risk Factors.”

Company Information